Weaknesses in RFID-based transponders

[Matt Blaze]

A group of computer scientists at Johns Hopkins and RSA Labs
is reporting practical attacks against the TI "Digital Signature
Transponder" RFID chip, which is used, among other things, to
secure many automotive "transponder" ignition keys and the
"SpeedPass" payment system.  Their paper is available at
   http://www.rfidanalysis.org
The results are also mentioned in today's New York Times, at
   http://www.nytimes.com/2005/01/29/national/29key.html
Aside from the practical significance of this work (a thief
may be able to copy your ignition immobilizer and payment
transponder from a short distance away without your knowledge
or cooperation), it nicely illustrates yet again the increasing
convergence of cryptology, computer security and physical security,
as well as the importance of exposing any security technology to
scrutiny before it is fielded.
From a cursory scan of the paper, it appears that these attacks
could have been easily avoided had the designers of the system
followed well known, widely accepted computer security practices
such as the use of well-scrutinized algorithms and, most importantly,
not depending on easily discovered "secrets".  Unfortunately, as
this work demonstrates, many designers of both computer and
physical security systems have yet to take these principles
seriously.
-matt
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Cryptanalytic attack on an RFID chip

[Steven M. Bellovin]

Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, and
Michael Szydlo have successfully attacked a cryptographically-enabled 
RFID chip made by Texas Instruments.  This chip is used in anti-theft 
automobile immobilizers and in the ExxonMobil SpeedPass.  You can find 
details at http://www.rfidanalysis.org/ (and a link to the draft paper),
and a New York Times article at 
http://www.nytimes.com/2005/01/29/national/29key.html

The paper itself is very nice, and combines RF techniques, 
cryptanalysis, Internet sleuthing, space-time tradeoffs, and more.  
There are some points I'm sure we'll be discussing at length, such as 
the authors' decision to withhold some of the details of their attack, 
the actual effective range of an RFID transponder when the attacker 
uses a suitable antenna, and the practical significance of the work.  
But oddly enough, what struck me was TI's response: rather than 
attacking the researchers, they co-operated, to the extent of providing 
them with challenge keys to see if the technique was really that 
effective.  TI is to be congratulated -- such a response is all too 
rare.

Btw, the paper suggests carrying car keys or SpeedPasses in aluminum 
foil.  I suspect that a more practical form factor is a spring-loaded 
conductive sleeve that normally surrounds the RFID chip, but is push 
back either manually or on key insertion.

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Simson Garfinkel analyses Skype - Open Society Institute

[Adam Shostack]

On Fri, Jan 28, 2005 at 02:38:49PM -0500, Mark Allen Earnest wrote:
| Adam Shostack wrote:
| >I hate arguing by analogy, but:  VOIP is a perfectly smooth system.
| >It's lack of security features mean there isn't even a ridge to trip
| >you up as you wiretap.  Skype has some ridge.  It may turn out that
| >it's very very low, but its there.   Even if that's just the addition
| >of an openssl decrypt line to a reconstruct shell script.
| >
| >In that case, the value of 'better' is vanishingly small, but it will
| >still take an attacker at least 5 minutes to figure that out.
| 
| I would contend that a false sense of security is worse than no security 
| at all. Someone's behavior may be different if they are wrongfully 
| assuming that their communications are encrypted by what they believe is 
| strong encryption when if fact it may be "very very low".

I fully agree with you that, if people had a sense of how their
conversations could be eavesdropped on, then this would be the case.
But, given what people talk about on their cell phones and cordless
phones, and what they send via unencrypted email, they are acting like
they think their communications are secure in the absence of any
encryption.  So I don't think adding some 'cryptographic mumbo jumbo'
is going to change their sense of security in the wrong direction.

Adam

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Students Find Hole in Car Security Systems

[Eugen Leitl]

http://www.nytimes.com/2005/01/28/science/28cnd-key.html?ei=5094&en=48eb306a45a3b7a0&hp=&ex=1106974800&oref=login&partner=homepage&pagewanted=all&position=

Students Find Hole in Car Security Systems
By JOHN SCHWARTZ

Published: January 28, 2005

BALTIMORE - Matthew Green starts his 2005 Ford Escape with a duplicate key he
had made at Lowe's. Nothing unusual about that, except that the automobile
industry has spent millions of dollars to keep him from being able to do it.

Mr. Green, a graduate student at Johns Hopkins University, is part of a team
that plans to announce on Jan. 29 that it has cracked the security behind
"immobilizer" systems from Texas Instruments Inc. The systems reduce car
theft, because vehicles will not start unless the system recognizes a tiny
chip in the authorized key. They are used in millions of Fords, Toyotas and
Nissans.

All that would be required to steal a car, the researchers said, is a moment
next to the car owner to extract data from the key, less than an hour of
computing, and a few minutes to break in, feed the key code to the car and
hot-wire it.

An executive with the Texas Instruments division that makes the systems did
not dispute that the Hopkins team had cracked its code, but said there was
much more to stealing a car than that. The devices, said the executive, Tony
Sabetti, "have been fraud-free and are likely to remain fraud-free."

The implications of the Hopkins finding go beyond stealing cars.

Variations on the technology used in the chips, known as RFID for radio
frequency identification, are widely used. Similar systems deduct highway
tolls from drivers' accounts and restrict access to workplaces.

Wal-Mart is using the technology to track inventory, the Food and Drug
Administration is considering it to foil drug counterfeiting, and the medical
school at the University of California, Los Angeles, plans to implant chips
in cadavers to curtail unauthorized sale of body parts.

The Johns Hopkins researchers say that if other radio frequency ID systems
are vulnerable, the new field could offer far less security than its
proponents promise.

The computer scientists are not doing R.&D. for the Mafia. Aviel D. Rubin, a
professor of computer science who led the team, said his three graduate
students did what security experts often do: showed the lack of robust
security in important devices that people use every day.

"What we find time and time again is the security is overlooked and not done
right," said Dr. Rubin, who has exposed flaws in electronic voting systems
and wireless computer networks.

David Wagner, an assistant professor of computer science at the University of
California, Berkeley, who reviewed a draft of a paper by the Hopkins team,
called it "great research," adding, "I see it as an early warning" for all
radio frequency ID systems.

The "immobilizer" technology used in the keys has been an enormous success.
Texas Instruments alone has its chips in an estimated 150 million keys.
Replacing the key on newer cars can cost hundreds of dollars, but the
technology is credited with greatly reducing auto theft. - Early versions of
in-key chips were relatively easy to clone, but the Texas Instruments chips
are considered to be among the best. Still, the amount of computing the chip
can do is restricted by the fact that it has no power of its own; it builds a
slight charge from an electromagnetic field from the car's transmitter.

Cracking the system took the graduate students three months, Dr. Rubin said.
"There was a lot of trial and error work with, every once in a while, a
little 'Aha!' "

The Hopkins researchers got unexpected help from Texas Instruments itself.
They were able to buy a tag reader directly from the company, which sells
kits for $280 on its Web site. They also found a general diagram on the
Internet, from a technical presentation by the company's German division. The
researchers wrote in the paper describing their work that the diagram
provided "a useful foothold" into the system. (The Hopkins paper, which is
online at www.rfidanalysis.org, does not provide information that might allow
its work to be duplicated.

The researchers discovered a critically important fact: the encryption
algorithm used by the chip to scramble the challenge uses a relatively short
code, known as a key. The longer the code key, which is measured in bits, the
harder it is to crack any encryption system.

"If you were to tell a cryptographer that this system uses 40-bit keys, you'd
immediately conclude that the system is weak and that you'd be able to break
it," said Ari Juels, a scientist with the research arm of RSA Security, which
financed the team and collaborated with it.

The team wrote software that mimics the system, which works through a pattern
of challenge and response. The researchers took each chip they were trying to
clone and fed it challenges, and then tried to duplicate the response by
testing all 1,099,511,627,776 possible encryption keys. Once